https://community.cisco.com/t5/network-security/pix-context-hairpinning/m-p/1621260#M595215 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I can not see why there should be a hairpinning or U-turn. But since it is working fine from other sites, but not from the other context, then I begin to suspect that it could be something like this.</P><P></P><P>Because we have 2 different webservers and it is the same issue with both of them.</P><P></P><P>the setup is user-context1-context2-webserver</P><P></P><P>Best regards,</P><P></P><P>Erik Jacobsen</P></BODY></HTML> Wed, 05 Jan 2011 20:07:42 GMT Erik Jacobsen 2011-01-05T20:07:42Z https://community.cisco.com/t5/network-security/pix-context-hairpinning/m-p/1621258#M595202 <P>Hi,</P><P></P><P>We have 2 security context configured on at PIX 525 with 8.0.2.</P><P></P><P>Users on context 1 should be able to reach webservers on context 2</P><P></P><P>I can not see in any logs that the traffic is being blocked, but it is not possible to get to the page.</P><P></P><P>From everywhere else it works fine from the internet, so the webservers are working fine.</P><P></P><P>If I ping from context 1 I get the right ip address of the webservers, so it does not look like a DNS issue.</P><P></P><P>So the question is, even I'm using 2 context does the firewall see it as one, so it things I'm trying to do hairpinning?</P><P></P><P>Or what can be the reason since it is blocking.</P><P></P><P>Best regards,</P><P></P><P>Erik Jacobsen</P> Mon, 11 Mar 2019 19:30:41 GMT https://community.cisco.com/t5/network-security/pix-context-hairpinning/m-p/1621258#M595202 Erik Jacobsen 2019-03-11T19:30:41Z https://community.cisco.com/t5/network-security/pix-context-hairpinning/m-p/1621259#M595210 <HTML><HEAD></HEAD><BODY><P>Is this cascading contexts? or is there a layer-3 device in between?</P><P>What is the topology?</P><P></P><P>source--ctx1--ctx2--server</P><P></P><P>or</P><P>source--ctx1--router--ctx2--server?</P><P></P><P>You need to watch the logs in both contexts for these IP addresses in question and see why it is failing.</P><P></P><P>There is no U-Turning here that I can see.</P><P></P><P>-KS</P></BODY></HTML> Wed, 05 Jan 2011 15:42:44 GMT https://community.cisco.com/t5/network-security/pix-context-hairpinning/m-p/1621259#M595210 Kureli Sankar 2011-01-05T15:42:44Z https://community.cisco.com/t5/network-security/pix-context-hairpinning/m-p/1621260#M595215 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I can not see why there should be a hairpinning or U-turn. But since it is working fine from other sites, but not from the other context, then I begin to suspect that it could be something like this.</P><P></P><P>Because we have 2 different webservers and it is the same issue with both of them.</P><P></P><P>the setup is user-context1-context2-webserver</P><P></P><P>Best regards,</P><P></P><P>Erik Jacobsen</P></BODY></HTML> Wed, 05 Jan 2011 20:07:42 GMT https://community.cisco.com/t5/network-security/pix-context-hairpinning/m-p/1621260#M595215 Erik Jacobsen 2011-01-05T20:07:42Z https://community.cisco.com/t5/network-security/pix-context-hairpinning/m-p/1621261#M595220 <HTML><HEAD></HEAD><BODY><P>PS. I have checked all Access-lists on both contexts and I there should not be anything blocking.</P><P></P><P>Erik</P></BODY></HTML> Wed, 05 Jan 2011 20:09:03 GMT https://community.cisco.com/t5/network-security/pix-context-hairpinning/m-p/1621261#M595220 Erik Jacobsen 2011-01-05T20:09:03Z https://community.cisco.com/t5/network-security/pix-context-hairpinning/m-p/1621262#M595222 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Why you dont just try to run a packet-tracer in both context. Tray to take some captures as well. Does the context 1 knows how to reach the server? are you permiting this traffic in context 2? can u post the configuration.... that would make the things easier.</P></BODY></HTML> Thu, 06 Jan 2011 15:48:30 GMT https://community.cisco.com/t5/network-security/pix-context-hairpinning/m-p/1621262#M595222 Diego Armando Cambronero Arias 2011-01-06T15:48:30Z https://community.cisco.com/t5/network-security/pix-context-hairpinning/m-p/1621263#M595227 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have been running the packet tracer on both contexts, and both of them is saying the traffic should be allowed.</P><P></P><P>My customer just told me that, it actually works some times.</P><P></P><P>So this is even more weird. Because normally it works or else it is blocked.</P><P></P><P>So we are looking a bit on his domain controllers, what have been changed here.</P><P></P><P>I also found out that I can not do a simply ssh to the firewall, only http and telnet works. Even it is configured correct.</P><P></P><P>So the firewall will be scheduled a reboot tomorrow afternone.</P><P></P><P>Thanks,</P><P></P><P>Erik Jacobsen</P></BODY></HTML> Thu, 06 Jan 2011 22:53:00 GMT https://community.cisco.com/t5/network-security/pix-context-hairpinning/m-p/1621263#M595227 Erik Jacobsen 2011-01-06T22:53:00Z https://community.cisco.com/t5/network-security/pix-context-hairpinning/m-p/1621264#M595230 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thanks for all your time.</P><P></P><P>We have now rebooted the pix 525, and now everything works.</P><P></P><P>and then we found out the "standby" pix did not work, so even more issues.</P><P></P><P>We have adviced the customer to change the pixes almost a year a go, to ASA firewalls. So maybe they soon will find the money <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Case closed.</P><P></P><P>Erik</P></BODY></HTML> Fri, 07 Jan 2011 10:41:03 GMT https://community.cisco.com/t5/network-security/pix-context-hairpinning/m-p/1621264#M595230 Erik Jacobsen 2011-01-07T10:41:03Z